Learning Center Home > HIPAA > HIPAA Privacy Rule 101

HIPAA Privacy Rule 101
HIPAA

How to improve your Privacy Rule policies and procedures

This post contains the text from the White Paper: HIPAA Privacy Rule 101. Download the PDF below.

White Paper: HIPAA Privacy Rule 101

Download Here

INTRODUCTION

When it comes to the HIPAA Privacy Rule, healthcare organizations often think they have everything covered. For the most part, this is true. You likely have your privacy practices posted throughout your workplace, and there are usually limited instances where employees leak PHI to the public (such as in football star Jason Pierre-Paul’s case).

However, if covered entities (and other individuals) intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule, they may be fined up to $50,000 and receive up to one year in prison. But if the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up
to 10 years in prison.

For example, here are several common HIPAA Privacy Rule violations:

  • Social media: Employees should never post patient photos or any patient information on any social media platform (e.g., Twitter, Facebook, LinkedIn)
  • Employees illegally accessing PHI: Employees should not be able to access PHI that they do not need to know about for patient care (e.g., accessing celebrity PHI)


PRIVACY RULE OVERVIEW

With all the financial consequences and prevalence of HIPAA violations, you need to take HIPAA compliance seriously and make sure you have adequate HIPAA Privacy Rule policies and procedures in place.

In this white paper, you will learn the basics about the HIPAA Privacy Rule, how you should handle PHI, what policies you need to have in place, and how to train your staff about HIPAA compliance.

The Privacy Rule addresses appropriate PHI use and disclosure practices for healthcare organizations, as well as defines the right for individuals to understand, access, and regulate how their medical information is used. 

The HIPAA Privacy Rule: 

  • Clarifies and supports patient rights 
  • Spells out administrative responsibilities 

  • Discusses the need and implementation for privacy policies and procedures 

  • Details the permissible uses and disclosures of patient data
  • Discusses written agreements between covered entities and business associates 

  • Describes covered entity responsibilities to train workforce members and implement requirements regarding their use and disclosure of PHI 


Have a HIPAA Deadline?

Request a Quote

BUSINESS ASSOCIATES VS. COVERED ENTITIES

To start your compliance efforts, you need to know where you fit in with HIPAA requirements, since the Privacy Rule applies to all healthcare providers, including those who do not use an EHR, and includes all mediums: electronic, paper, and oral. It guarantees patients’ rights to their own protected health information, access to records, and disclosure on how that information is used or shared. 

A covered entity (CE) is a health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information (e.g., doctors, dentists, pharmacies, health insurance companies, company health plans, etc.). While a member of the covered entity’s workforce is not a business associate, a healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity.

On the other hand, a business associate (BA) is a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., CPA, IT provider, billing services, coding services, laboratories, etc.). Business associates can be from legal, actuarial, consulting, data aggregation, management, administrative, accreditation, and/or financial organizations. Some possible business associate functions include: 

  • Claims processing or administration 

  • Data analysis, processing, or administration 

  • Utilization review 

  • Quality Assurance 

  • Billing 

  • Benefit management 

  • Practice management 

  • Repricing 


For example, a business associate can be a third-party administrator that assists a healthcare organization with claims processing. They can also be a consultant performing utilization reviews for a hospital. 


HEALTHCARE RECORD SETS

In healthcare, there are two basic types of patient records: designated and legal health records. While these two record sets are fairly similar and often contain identical information, there are slight differences that you will need to gather from and for patients. 


DESIGNATED RECORDS

Designated records are medical and/or billing records that are maintained by or for a covered entity. These records are often used in part or whole to make care decisions for patients.

Designated record sets are:

  • Generally broader and more encompassing than legal health records
  • Supports the individual’s right of access
  • Contains any PHI stored in any collected medium
  • Directly used in documenting healthcare status
  • Often housed in multiple systems and/or networks

Designated record sets should also include the information about: amendments, restrictions, and authorized access to patient data.


LEGAL HEALTH RECORDS

Legal health records are the official business and legal record for an organization, and they contain information about services provided by a healthcare provider to a patient. 

Legal health records can and often do include similar PHI as the designated record set, though they are used for different purposes. Specifically, legal health records are used to document and defend an organization’s care decisions.

Legal health records are often used for the following additional purposes:

  • Assist and inform an organization’s internal business decisions (e.g., administrative decisions, employee training)
  • Support decisions that were made in a patient’s care
  • Support revenue sought for third-party payers
  • Legally document the services and treatment provided to patients (e.g., patient’s condition, caregiver’s decisions)


HOW ORGANIZATIONS SHOULD HANDLE PHI

USES AND DISCLOSURES OF PHI

Before sharing patient data, make sure you have thorough policies and procedures established on how you are allowed to use and disclose patient data. For example, you are required to disclose PHI in the following instances: individuals (or their representatives) request this information or the Department of Health and Human Services (HHS) undertakes a compliance investigation or review.

You are allowed (though not required) to use and disclose PHI without an individual’s authorization under the following situations:

  • PHI is disclosed to the patient
  • PHI is used for treatment, payment, or healthcare operations
  • PHI is incidentally used and disclosed (e.g., lobby communication with patients during emergency situations)
  • PHI is used or disclosed for the 12 national priority purposes
    • Required by law
    • Public health activities
    • Victims of abuse, neglect, or domestic violence
    • Health oversight activities
    • Judicial and administrative proceedings
    • Law enforcement purposes
    • Decedents
    • Cadaveric organ, eye, or tissue donation
    • Research
    • Serious threat to health or safety
    • Essential government functions
    • Workers’ compensation

However, there are some exceptions to this rule, such as most uses and disclosures of psychotherapy notes require authorization from patients (i.e., written permission from individuals to use and disclose PHI). Also, you typically must receive patient authorization to use and disclose PHI for marketing purposes, unless it fits within HIPAA exceptions.


MINIMUM NECESSARY 

A large portion of the Privacy Rule is based on the minimum necessary requirement, which states that only those who need to see PHI to do their jobs should get to see it, and unless you have a specific need for the information, access must be restricted. For example, a receptionist (or someone that doesn’t provide direct patient care) probably doesn’t need to see the X-rays of a patient to do their job. 


LIMIT ACCESS TO PHI 

The HHS states “if a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard.” 

It’s a covered entity’s responsibility to limit who within an organization has access to each specific part or component of PHI. The easiest way to take charge of the data is by creating individual user accounts on a network. In the ideal scenario, each user account in a network, EHR/EMR, or computer system, would be given certain privileges based on the job title or role of the user. 

For example, a doctor’s privilege would get access to all PHI in their patient database because they need it to do their job, while an IT admin would have restricted access to PHI because they’re not involved with patient care. 

The minimum necessary also applies to the information shared externally with third parties and subcontractors. Organizations are required to limit how much PHI is disclosed based on job responsibilities and nature of the third party’s business. Remember, passing too much PHI to a business associate or third party could get your organization slapped with a fine. Be careful about how much data you send and receive. 

However, both covered entities and business associates have a minimum necessary responsibility under HIPAA. That means either party can be fined by the HHS for misapplying (or completely disregarding) the minimum necessary rule. 

To avoid these issues, covered entities and business associates should assess their responsibilities concerning minimum necessary data accordingly: 

  • Covered entity responsibility: determine what data is the minimum necessary to send, and then only send that data and nothing else. 
  • Business associate responsibility: only accept and use the minimum necessary data. 

By limiting PHI access to the smallest number of people possible, the likelihood of a breach or HIPAA violation decreases significantly. 

Download the latest guide to HIPAA Compliance

Download now

HEALTHCARE SECURITY SPECIALIST’S PERSPECTIVE 

MINIMUM NECESSARY BASICS

The minimum necessary requirement is a core principle of the Privacy Rule, and it affects a large amount of decisions surrounding the privacy and security of PHI. The goal of this requirement is to limit the amount of PHI that an organization uses, discloses, or requests to the minimum necessary
to accomplish the intended purpose. 

You can extend this philosophy to how much and what types of PHI an organization creates as well. Every time you grant employee access to PHI or receive a request to send PHI to another organization or individual, ask yourself what is the minimum amount of information required to accomplish the requested task. 

Yes, it’s difficult, but you need to find balance between maintaining patient health and respecting their individual rights. 

There are several exceptions to the minimum necessary: disclosures from one healthcare provider to another for purposes of treatment, patient and any authorized party requests, and uses and disclosures to the HHS Secretary and for any legal purposes. 

-RYAN MARSHALL 

SecurityMetrics HIPAA Fulfillment Manager | HCISPP 


DE-IDENTIFICATION ESSENTIALS

Sometimes healthcare organizations need to use patient data for research, public health, and healthcare operations (e.g., comparative effectiveness studies, policies, assessments); when this happens, make sure you properly de-identify PHI. Specifically, you need to make sure to remove all information that could identify an individual, such as the 18 PHI identifiers, which are:

  • Names
  • Geographic information (e.g., address, city, county, zip code, precinct)
  • Dates related to an individual (e.g., birth date, admission date, discharge date, death date, all ages over 89)
  • Phone number
  • Fax number
  • Email
  • Social security number (SSN)
  • Medical record number
  • Health plan beneficiary number
  • Account numbers
  • Certificate/license numbers
  • VIN and license plate numbers
  • Device ID’s and serial numbers
  • URL’s
  • IP address
  • Biometric identifiers
  • Full face photos and comparable images
  • Any other unique number, characteristic, or code

Once PHI has been adequately de-identified, it is no longer protected by the Privacy Rule. This means that you can disclose this information to anyone without authorization. 

However, codes and other data used to re-identify coded or de-identified PHI are considered PHI if disclosed. But these codes are not considered PHI if they are not related to and cannot be used to identify patients without an appropriate mechanism (which cannot be disclosed).

When using or disclosing  de-identified PHI (or limited data sets), don’t share codes or other data that can be used to identify a patient.

You can also use a limited data set without patient authorization for the following purposes: healthcare operations, research, or public health. A limited data set is similar to de-identified data, except the limited data set can exclude the following information:

  • Geographic subdivisions smaller than a state
  • Elements of date except for year (e.g., birth date, admission date, death date, discharge date)
  • Ages over 89 and dates indicative of such age
  • Other unique identifying numbers, characteristics, or codes

But if you disclose the limited data set outside of your organization, make sure to have a data use agreement in place with the organization receiving this data. Your data use agreement must include:

  • Permissible uses and disclosures
  • Establish authorized parties/organizations
  • Duty to safeguard PHI
  • Duty to report security incidents/impermissible disclosures
  • Agreement to not identify or contact the individuals referred to in the data

If this outside organization is one of your business associates, then your business associate agreement (BAA) can be used as a data use agreement.


DATA RETENTION POLICY

In addition to knowing how you can use and disclose data, make sure your organization implements a data retention policy. Start by deciding how long data needs to be kept and when it should be deleted. Specifically, you need to determine how long data needs to be stored for regulatory purposes and how long you need to store the data.

HIPAA retention requirements require you to keep the data for 7 years, though individual states may require longer retention. If you decide to keep data after 7 years (or however long your state requires), you need to protect it for 50 years after the patient has died. Due to these regulations, organizations often choose to destroy and/or delete data after this time period.

Permanently destroying electronic data may require a few different techniques, depending on how you want it done and whether you want to reuse the media where the data is stored. Here are a few techniques to securely delete your data:


OVERRIDING/CLEARING

Overriding data runs over the data with a sequence of 1’s (some methods use a different set of binary sequences to ensure all the data has been overwritten). There still could be some type of recoverable data on the media, so this method may not be the most secure.


DEGAUSSING

This method is useful if you have magnet tapes and hard drives. Degaussing uses a powerful magnet to erase data on magnetic media. This method is particularly helpful if you want to reuse the media.


PHYSICAL DESTRUCTION

This is one of the most secure methods to permanently delete data. If you don’t plan to use the media again, it’s highly recommended you physically destroy it. You can go to companies that have industrial-sized shredders to dispose of larger hardware. Some types of media require physical destruction for secure data deletion. Solid state drives (SSD) and optical media like DVDs and CDs generally must be destroyed physically. 


IMPLEMENTING PRIVACY RULE POLICIES

Compliance with the Privacy Rule might seem easy for healthcare organizations, but HIPAA Privacy Rule requirements on the various policies and procedures may take up an entire shelf or filing cabinet,
if not more.

If you don’t have all policies and procedures properly in place, your organization faces legal and financial consequences. For instance, when organizations undergo an Office for Civil Rights (OCR) audit or investigation, OCR auditors often review documented policies and procedures, interview staff, and observe if procedures are actually taking place. If all three of these factors don’t match requirements exactly, organizations may be issued hefty fines, such as:

If you’re like most healthcare organizations, you already have organizational policies in place. But they probably haven’t been reviewed or updated in years. Or perhaps you do have policies, but they haven’t been properly documented.

To maintain HIPAA compliance, regularly update your policy and procedure documentation, and ensure employees receive proper training. 

However, policies aren’t just paperwork. They outline in writing what you promise to do to protect your patient’s medical data. In addition to having written policies, make sure that your policies and procedures are frequently updated and stored in a place where it can be easily disseminated to your staff.

Though there are numerous HIPAA Privacy Rule policies, make sure to include the following policies:

  • Notice of Privacy Practices Policy (NPP)
  • Accounting of Disclosures
  • Amending Patient Records
  • Patient Complaints
  • Business Associate Agreement (BAA)


Violation Category

Penalty

Maximum per Calendar Year

(A) Did not know 

$100-$50,000

$1,500,000

(B) Reasonable Cause

$1,000-$50,000

$1,500,000

(C) (i) Willful Neglect-Corrected

$10,000-$50,000

$1,500,000

(C) (ii)Willful Neglect-
Not Corrected

$50,000

$1,500,000


Have a HIPAA Deadline?

Request a Quote

NOTICE OF PRIVACY PRACTICES 

Most healthcare professionals are familiar with Notices of Privacy Practices (NPPs) as being part of HIPAA. Most patients have seen them, and most Covered Entities have them in place and know what they are for. But the most common errors in NPPs are updating how the organization deals with a refusal to acknowledge receipt of privacy practices by a patient and making sure all foreign language versions (e.g., Spanish NPPs) are up to date. 

NPPs are legal documents and are commonly created by groups other than the entities themselves. They are usually provided to them by insurance companies or malpractice attorneys or sometimes a healthcare association. While there is nothing wrong with having NPPs supplied by external parties, they do need to accurately reflect your privacy practices and need to be updated when changes to the law occur. 

An example would be the change to requirements for uses of PHI for marketing purposes that the Omnibus Rule introduced in 2013. Some NPPs created before 2013 had marketing disclosure practices that would now be a violation of the new requirements. 

All NPPs need to be displayed in a prominent location at your organization where a patient would encounter them. If you own a website, it must be published there as well. NPPs must be provided to the patient at first encounter and an attempt to have the patient sign an acknowledgement of receipt form must be made. 

A patient is not required to sign the acknowledgment form or waive any right under the Privacy Rule. If a patient refuses, they cannot be denied any service or receive any retaliation as a result of refusal to sign. When a patient refuses to sign, documentation should show that an attempt was made and the reason it was not accepted. 

NPPs must contain how your organization intends to use and disclose PHI, what the individual’s rights are with respect to information, and how the individual can exercise them, including how to file a complaint. NPPs should include what your legal duties are with respect to this information including a statement that they are legally required to protect the privacy of the information. NPPs also must contain contact information (e.g., phone number) for the Privacy Officer.


ACCOUNTING OF DISCLOSURES

Patients can request an accounting of your disclosures of their PHI made in the last 6 years. They can receive one free accounting in a 12-month period, but after this request, you can charge patients a fee based on the cost of time and material used to provide this accounting.

You need to provide this information within 60 days of the request, unless you receive a 30-day extension by providing the patient with a written statement explaining your reasons for the delay and when they will receive your disclosure information.

Your accounting of disclosures must include the following information:

  • Date of disclosure
  • Frequency or number of disclosures made
  • Name and address of entity or person who received the PHI
  • Description of the PHI disclosed
  • Statement describing the purpose of the disclosure

If PHI disclosures were made for research purposes (involving data from more than 50 individuals), make sure to include:

  • Name of research activity
  • Description of the research’s purpose and criteria used for selecting records
  • Description of the PHI disclosed
  • Date of disclosure period
  • Name, address, and phone number of organization that sponsored the research
  • Statement that an individual’s PHI may or may not have been disclosed for a particular protocol or other research activity

However, covered entities do not have to provide an accounting of disclosures, when healthcare practice and/or information:Did not require specific notification, authorization, or an opportunity to object (e.g., treatment, payment, healthcare operations)

  • Was sent to the patient
  • Was sent to business associates
  • Received formal authorization from the patient


AMENDING PATIENT RECORDS

Though patient records cannot have information removed, patients can request to make amendments to their healthcare records, which offers further explanation, clarification, or revision of health information. 

If patients request an amendment, the covered entity should have patients fill out forms that include:

  • What dates need to be amended
  • What information is incorrect or incomplete
  • What is the reason for requesting the amendment
  • What should the information be amended to look like/contain
  • Authorization for the covered entity to notify individuals that the patient wants to be notified

Covered entities have 60 days from receiving a patient’s request to take action, unless they receive a 30-day extension by providing written notice to the individual detailing your reason for delay and the date which you will take action. On request of a patient, covered entities might also be contacted by other covered entities to amend patient records.

Whether or not you amend patient records upon request, inform the patient about your decision in a timely manner.

A covered entity can deny a patient’s request to amend health information for several reasons. For instance, covered entities can deny a request if the record is not part of the Designated Record Set, it was not created by the covered entity, is not part of their access rights under HIPAA requirement §164.524, or the record is reviewed and determined to be accurate and complete.

If covered entities approve to amend a patient’s record, they need to put this amendment in their record or reference a link to this amendment. Make sure to notify the patient, anyone who the patient requests to be notified, and anyone who would need to know the information to not affect the patient with any negative consequences.

If you deny the request to amend a patient’s record, you must inform the patient that their amendment was denied and why you denied their request. 

Patients also need to know that they can submit a written statement that they disagree with the denial and have this statement included in their record. If they choose not to submit a statement of disagreement, their request for amendment and subsequent denial will still be included in their record. In addition to this, make sure to also inform patients on how to file a complaint.


PATIENT COMPLAINTS

Patients (and any person on behalf of someone else) have the right to file a complaint if they believe that their rights and/or information have been violated or breached in any way. They can choose to file a complaint with the covered entity directly and/or with the secretary of the HHS/OCR.


COMPLAINTS TO THE COVERED ENTITY

If patients file a complaint with the covered entity, the covered entity must have the following information in place about how to file a complaint:

  • A notice in their NPP about their rights to file a complaint
  • Contact information for the person with whom to file a complaint
  • Information on how to file a complaint when requested by a patient


While the covered entity has no obligation to investigate any complaints, especially within a specific timeframe, it’s in your best interest to do so to avoid a complaint with HHS/OCR and for patient satisfaction and trust. Covered entities must also document all complaints received and their response to complaints.

Covered entities are not allowed to intimidate or retaliate against a patient that files a complaint with either the covered entity or HHS/OCR.

When complaints are filed to the covered entity, patients do not have to file a complaint in any specific timeframe.


COMPLAINTS WITH HHS/OCR

If patients file a complaint with HHS/OCR, their complaints must be written within 180 days of the violation or when the patient reasonably should have known about the violation. In this complaint, patients must include the name of the complaint’s subject and a description of the violation. For example, patients should use the online OCR complaint tool.

HHS/OCR will conduct a preliminary investigation of ALL complaints. Once a complaint is determined as valid, they will conduct a further investigation, which might lead to an audit (e.g., desk audit, onsite audit).

Download the latest guide to HIPAA Compliance

Download now

BUSINESS ASSOCIATE AGREEMENTS

BUSINESS ASSOCIATE AGREEMENT BASICS

After the 2013 HIPAA Final Omnibus Rule, HIPAA compliance for both covered entities and business associates has become an even more important priority. The HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) for all relationships wherein the business associate creates, receives, maintains, and/or transmits electronic patient information. 

In these new or revised BAAs, covered entities, business associates, and subcontractors agree to share responsibility for patient data protection and breach notification. Here are a few examples of what should be included in your business associate agreement:

  • A minimum necessary policy: Business associates should not use more data than necessary
  • Business associate’s permitted use of PHI: PHI only used to perform service for covered entity, unless assurances of confidentiality are obtained or required by law
  • Prohibited use of PHI: Anything not expressly permitted or that is expressly prohibited cannot be used by the business associate
  • Covered entity’s responsibility: Current NPPs are given to the business associate
  • Appropriate safeguards to protect PHI: Establish and clarify security practices to best secure PHI
  • Breach reporting: Business associates need to notify affected covered entities immediately after discovering the data breach
  • Termination provisions: Conditions for termination and policies on how PHI should be protected, returned, or destroyed upon termination of contract

Additionally, the HHS makes it clear that covered entities must obtain satisfactory assurance that each business associate safeguards the patient data it receives or creates on behalf of the covered entity. That means covered entities must ensure their business associate complies with the terms of their BAA. 

Whether compromised from within your system or the system of a business associate, your organization can be liable for up to $50,000 per violation per day as a result of any breach of your patient data. And that’s just HHS penalties. That doesn’t include civil action, cost of mitigation, and loss of patient trust that may come as a result of a breach. 

With these consequences in mind, remember that you should only share minimal need-to-know data with your business associates, and regularly validate that they are handling your patient’s PHI in a HIPAA compliant manner. That should keep your liability to a minimum. Next, covered entities should do all they can to reduce risks by implementing a business associate compliance program. Such a program should gauge your liability, help you locate business associates, discover what business associates do with your PHI, and help them work towards compliance. 


CREATE YOUR BUSINESS ASSOCIATE COMPLIANCE PROGRAM 

Your business associate plan should evaluate all existing business associate security practices in order to help you address the riskiest vendors first. Then, risk and compliance managers should design, implement, and monitor a mass risk evaluation of business associate networks. 

A plan that starts with the highest risk business associates and tracks related progress will help you prove your effort to address business associate compliance if the HHS decides to audit your organization. 

After determining which business associate(s) you use, make sure every business associate has an adequate BAA in place. Then you should identify all parties (e.g., business associates, subcontractors) that still need to comply with your BAA. Next, ask your business associates for proof they’ve completed a Risk Analysis and are up to date with their Risk Management Plan. If not, either recommend a trusted source to help or stop using their services. Just remember, patient data is too valuable to deal with business associates that choose to ignore compliance best practices. 

Next, classify business associates according to their use of patient data. Determine how much liability each business associate holds by asking a set of risk-evaluating questions, such as: 

  • Is the business associate internal system connected to the Internet? If yes, are those external IPs scanned for vulnerabilities? 

  • How does the business associate obtain protected PHI from you and what data is received? 

  • What is the quantity of the data received? 

  • How is the data stored, protected, backed up and destroyed by the business associate? 


After this quick risk snapshot, you will clearly be able to categorize individual risk levels that determine which business associates put your patient data in the highest risk. Based on the risk ranking from the preliminary risk analysis, you can then start to customize compliance measures to enable business associate HIPAA compliance. 

Remember that HIPAA regulations require you to take action if you know or believe a business associate is not HIPAA compliant. 

If a covered entity terminates a business associate contract, the business associate needs to follow the termination clause. Basically, a business associate needs to make sure that any PHI you have received, created, or maintained is:

  • Returned to the covered entity
  • Protected by adequate safeguards and security
  • Not used or disclosed
  • Permanently deleted


HEALTHCARE SECURITY SPECIALIST’S PERSPECTIVE 

MONITOR YOUR BUSINESS ASSOCIATES’ COMPLIANCE 

Every covered entity with business associates is required to obtain assurances that their business associates treat patient data the way you and the HHS want them to. Whether you choose to personally audit each business associate, or require documented data security procedures, take the initiative to secure the future of your organization and safety of patient data. 

As your business associates progress towards compliance, track their success to ensure an approved level of compliance. As the riskiest business associates reach compliance, begin to reach out toward medium-risk business associates to start the process with them. Don’t forget to re-evaluate every business associate’s plan and associated vulnerabilities each year. Encourage continual education and training programs, such as regular HIPAA security webinars or even an email newsletter. 

-JEN STONE 

SecurityMetrics Security Analyst
MCIS | CISSP | CISA | QSA 

 

White Paper: HIPAA Privacy Rule 101

Download Here

HIPAA TRAINING 

Most workforce members aren’t malicious, but they often don’t know or forget what is required of them. For example, if you don’t give your workforce members specific rules and train them on those rules, they won’t be able to keep PHI secure. Or if employees are trained only once, they might forget policies.

Workforce member training and education will remind them that both privacy and security are important, and it will show them how to stop any bad security behaviors. 

You need to train your staff regularly (e.g., at least quarterly). Training doesn’t have to be lengthy and detailed (e.g., a 20 minute PPT presentation). You can break up training into sections (e.g., monthly small and easy trainings), making it easier to remember and implement procedures. For example, consider having specific training about the following topics:

  • Social media compliance
  • HIPAA privacy and security rules
  • Physical workstation compliance
  • Disposal of data, media, and equipment
  • Social engineering

Specifically, social media use has become even more prevalent. If employees irresponsibly use social media, their actions can easily lead to serious HIPAA violations. Make sure staff understand the consequences of not following your HIPAA policies. 

For example, you can share the story of a nurse at Michigan’s Oakwood Hospital that wrote a Facebook post about a patient accused of killing a police officer. Although the nurse didn’t use the patient’s name or social security number, this was still a breach of the HIPAA Privacy Rule.

Workforce members are considered the weakest link in PHI security and HIPAA compliance by most security professionals. 

As you set up your training plan, here are some tips to consider: 

  • Provide training as a mandatory part of new hire orientation 

  • Require monthly or quarterly training of all staff members or develop a weekly educational program (because annual training isn’t enough) 

  • Keep a repository of policies and procedures (keep these updated and inform staff of updates) 

  • Develop a verification process to ensure training completion
  • Document dates and times when workforce members complete their training 

  • Regularly test workforce members on training 
  • Evaluate your training program effectiveness each quarter 

  • Reduce costs by making training part of your comprehensive educational program

In addition to your training plan, make sure you have and follow appropriate sanctions (i.e., disciplinary action) for workforce members that do not comply with your policies and procedures.


CONCLUSION

HIPAA compliance is never completely finished. You will often need to examine how your organization uses and/or discloses patient information and make adjustments to procedures when necessary.

However, compliance to the HIPAA Privacy Rule doesn’t have to be an impossible task. Break your compliance efforts into manageable tasks. 

For example, start by reviewing one new HIPAA Privacy Rule policy a week, then you can implement procedures to follow your established policy. Next, train workforce members about this new policy and any procedures they need to follow. Make sure that staff receives specific rules and regular training after your initial training.


ABOUT SECURITYMETRICS

We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security. 

www.securitymetrics.com/hipaa-audit

Have a HIPAA Deadline?

Request a Quote


We are excited to work with you.

*Required

Thank you!

Your request has been submitted.